Nasty New Java Zero Day Found; Exploit Kits Already Have It

UPDATE – Security experts are urging users to disable Java immediately after the discovery of another zero-day exploit that has been incorporated into the Blackhole, Redkit, Cool and Nuclear Pack exploit kits.

Kafeine refused to share any details on the vulnerability or exploit, while Blasco wrote on the AlienVault blog a short time ago that the exploit probably bypasses security checks in Java, “tricking the permissions of certain Java classes,” he said.

“This could be mayhem,” Kafeine said.

HD Moore, creator of Metasploit and CSO at Rapid7, told Threatpost the exploits are targeting a privilege escalation vulnerability in the MBeanInstantiator, as it exposes two classes which in turn expose the class loader. He expects a Metasploit module for this exploit to be ready today.

“Similar to previous bugs, it enables you to run Java code outside the sandbox, so the thing about that is that it’s not dependent on OS or platform. It will run the same exact code on Mac OS X, Windows or Linux,” Moore said. “The exploits going around are targeting Windows, but more than likely, we’ll see attacks for Mac like we did with the Flashback stuff last year.”

Moore said this one is similar to recent Java exploits.

“A lot of the recent Java exploits use a technique similar to this one where they find a class that’s already loaded in memory that accesses an object outside the sandbox, and then they use that object to load arbitrary code,” Moore said. “It’s about as bad as you can get in terms of a reliable Java exploit that affects the latest version of Java 1.7. It’s already being used by all the bad guys and at this point, it’s just catch-up and how fast Oracle can respond.”

Moore cautioned that many organizations, for example, are still running Java 1.6 and it’s unclear whether the exploit affects that version yet.

“When they added 1.7 a year ago, there was so much code churn, a lot of these vulnerabilities came out of that,” Moore said. “Not because the code is any worse, but it’s a lot of new code that’s just now getting eyes looking at it.”

AlienVault’s Blasco said similar tactics were used in CVE-2012-4681, which was discovered last August. The vulnerability in Java 7u6 enabled attackers using a malicious Java applet to bypass security restrictions in Java to execute code remotely.

Oracle repaired the vulnerability in Java 7u7, released four days after the initial reports of the zero day.

Kafeine, meanwhile, has screenshots from the major exploit kits announcing the availability of the zero day. Security blogger Brian Krebs reported that Paunch, the hacker who sells the Blackhole kit, announced its availability yesterday on several hacker forums, calling it a “New Year’s Gift.” The people behind the Nuclear Pack soon followed suit. Paunch is believed to also manage the Cool Exploit Kit, home of the Reveton ransomware.

“At this point, it’s a question of taking it apart and figuring out what it’s doing,” Moore said. “The folks who built the exploit obfuscated large portions of it, so we’re still looking at it.”

For now, the only current mitigation is to disable Java. Oracle has yet to reply when it expects a patch; it has traditionally been slow to repair vulnerabilties, experts said.

“We’ve been telling folks to disable Java 10 times a year for the past couple of years now,” Moore said. “It’s really to the point where you should be telling people to keep it disabled all the time.”

Java is a prime target for exploit writers with a number of zero days targeting the platform in recent months. Attackers like Java because, as is the case with Adobe products such as Flash and Reader, the technology is installed everywhere. Unlike those products, Java still remains vulnerable on the desktop and exploits are usually reliable.

“A reliable Java exploit, even if it covers only 65 percent or 70 percent of the Java population, it’s still going to do a lot better than a Flash exploit that may have 100 percent saturation, but only 20 percent reliability,” Moore said. “That reliability and the fact it’s installed everywhere makes it a great target for folks who want to install code on machines.”

“Historically Sun and Oracle have been slow to patch. If you have the exploit, you still have a couple of weeks to keep using it before a fix gets out,” Moore said.

This article was updated to include comments from HD Moore and to clarify throughout.

Comments (13)

IMO, the problem isn’t necessarily Java and it’s exploits. The problem is that IE runs Java anyway unless you use registry hacks. Chrome blocks java, but doesn’t give you a way to whitelist known good sites.

there’s always going to be some exploit, but browsers need to step up and give me the power to control those plugins more effectively.

You can’t be infected with it, what would happen is you would go to a website that would ask you if you want to run a java applet. Normally the applet would have limits to what it can do, but one that uses this exploit could let an attacker easily take over your computer.

The Final Say

There are a great many beautiful and unusual towns and cities in the world, there are volcanoes, there are valleys and canyons, and islands and lakes. There are also of course rivers: loads of them ...

One of the big trends in sphere of health and fitness are fitness trackers such as smartbands. Tracking devices and their mobile applications from three leading vendors were inspected in this report t...

Android smartphones and tablets are very popular among students for several reasons. First, they are relatively affordable. Second, they are flexible, so users can choose the most suitable set-up for ...